1. Summary

A specially crafted HTML web page will cause a visitor’s E303 device to silently send one or more SMS (text) messages. The device will neither ask for permission nor offer any means to cancel the operation in order to avoid the costs incurred by sending these SMS messages. The recipient of the SMS messages, as well as their content, can be specified by the attacker.

The Web UI communicates with the vulnerable module by sending and receiving XML requests and responses via XmlHttpRequest. However, the vulnerable module can also be accessed and controlled by sending an HTTP-POST request with XML in the request’s body (see [2.1] for a capture of the HTTP request/response traffic). The vulnerable module will process this XML as if it had originated from the Web UI.

The attached PoC [2.2] has been tested and confirmed with Mozilla Firefox 25, Microsoft Internet Explorer 11 and Google Chrome 31 and the following device/software versions, which are current at the time of writing:

3. Additional Notes

While both devices suffer from a direct request vulnerability, the main differences between VU#341526 and VU#325636 are:

a) Access requirements: According to http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6031, VU#341526’s access vector is “Local network exploitable” whereas the vulnerability reported by me is not only exploitable from a local network but from the internet as well.
For example, the PoC code I have sent to Huawei and CERT can simply be embedded in a web page on the internet; previous access to the victim’s local network is not required.
It seems to me that in order to exploit VU#341526, an attacker has to be connected to the WLAN/WiFi network created by the device, which is not required for VU#325636.

b) Impact: According to http://www.kb.cert.org/vuls/id/341526, an attacker can “gather [and change] sensitive configuration information”, whereas the vulnerability reported by me allows an attacker to remotely control the device to the point of using its SMS functionality which is not mentioned in VU#341526’s description. Its PoC Metasploit module does not refer to or access the vulnerable “/api/sms/send-sms” module either.

To summarize; both VU#341526 and VU#325636 describe the same type of vulnerability (CWE-425 / direct request vulnerability), although the vulnerability reported by me adds a CSRF vulnerability. However, VU#325636 targets not only a different device and a different software but is also both easier to exploit and, in my opinion, easier to monetize.

4. Recommendations for End Users

It is Huawei’s responsibility to protect its customers against this vulnerability. With that being said, users of the Huawei E303 modem may want to take action to protect themselves against becoming victims of attacks targeting this vulnerability.

In order to minimize the direct financial impact of a successful attack, it is suggested to use the E303 only in connection with a pre-paid plan and a balance as low as practical.

Some web browsers offer security functionality which may be employed to strengthen defenses against attacks similar to the one described above (2.2. Proof of Concept).

4.3. Internet Explorer

End users can add “http://hi.link” and “http://[Device IP]” (e.g. “http://192.168.1.1”) to Internet Explorer’s list of “Restricted Sites” (Tools -> Internet Options -> Security -> Restricted Sites). Subsequently, Internet Explorer will display a warning when a web page tries to access the E303’s Web UI (“When you send information to the Restricted area, it might be possible for others to see that information. Do you want to continue?”). It is still the end user’s responsibility to read and understand this warning message and, of course, to choose “No” despite “Yes” being pre-selected.

4.4. Google Chrome

I am not aware of settings/extensions comparable to the ones mentioned above.

4.5. Safari

I am not aware of settings/extensions comparable to the ones mentioned above.